Skip to content

Add the new ipv6 ASG group to the docu#212

Draft
Milena-Encheva wants to merge 3 commits intocloudfoundry:masterfrom
sap-contributions:add-public-networks-ipv6-to-asgs
Draft

Add the new ipv6 ASG group to the docu#212
Milena-Encheva wants to merge 3 commits intocloudfoundry:masterfrom
sap-contributions:add-public-networks-ipv6-to-asgs

Conversation

@Milena-Encheva
Copy link

@Milena-Encheva Milena-Encheva commented Aug 13, 2025
edited
Loading

Adding the new public_networks_ipv6 to the CF concepts for ASGs.

This group is experimentally added to manage IPv6 egress traffic. It is particularly intended for test purposes.

NB: The feature is not released yet and the PR is not to be merged. Once released, we will update again and note the release's version.

peanball
peanball suggested changes Aug 13, 2025
View reviewed changes
_default_asg_oss.html.md.erb Outdated
@@ -1,4 +1,4 @@
Cloud Foundry preconfigures two ASGs: `public_networks` and `dns`.
Cloud Foundry preconfigures three ASGs: `public_networks`, `dns` and the experimental `public_networks_ipv6`.
Copy link

@peanball peanball Aug 13, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It preconfigures two. The third is added via experimental opsfile, so not on by default.

asg.html.md.erb Outdated
| --- | ---
| `dns` | DNS, either public or private |
| `public-networks` | Public networks, excluding IaaS metadata endpoints |
| `public_networks_ipv6` | Public IPV6 networks |
Copy link

@peanball peanball Aug 13, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
| `public_networks_ipv6` | Public IPV6 networks |
| `public_networks_ipv6` | Public IPv6 networks |

asg.html.md.erb Outdated
### <a id='public-networks-ipv6-example'></a> Public IPv6 networks

For IPv6-enabled environments, public repositories and services are generally accessible within the range 2000::/3.
As this configuration is in an experimental phase, the provided range is intended for testing purposes only. Before deploying in production environments, additional research on IPs to exclude for enhanced security is recommended.
Copy link

@peanball peanball Aug 13, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

"additional research" seems very vague. There are a few examples in the comment in the ops file that could be useful (i.e. things that are considered "internal" and protected otherwise, but from within the CF environment they're still reachable but shouldn't be)

asg.html.md.erb Outdated

### <a id='public-networks-ipv6-example'></a> Public IPv6 networks

For IPv6-enabled environments, public repositories and services are generally accessible within the range 2000::/3.
Copy link

@peanball peanball Aug 13, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is for IPv6 networking in general, not specific to CF. The idea is that addressing was approached in a different way for IPv6, where there is a known "public" range. In IPv6 everything that is not explicitly private is public. This is not the case in IPv6.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@peanball peanball Awaiting requested review from peanball

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@Milena-Encheva @peanball